illumos gate

Attempting to boot Tribblix for SPARC under qemu-system-sparc64, I see:

panic[cpu0]/thread=30001180760: BAD TRAP: type=31 rp=2a1002d2d70 addr=248 mmu_fsr=0 occurred in module "fd" due to a NULL pointer dereference

000002a1002d2cc0 unix:ktl0+48 (6001180e1c0, 2a1002d2e78, 0, 4, 6001180e298, 2a1002d2f6c)
%l0-3: 0000000000000004 0000000000001400 0000000080001603 000000000101b1c0
%l4-7: 0000000000000f01 0000000000000000 0000000000000000 000002a1002d2d70
000002a1002d2e10 fd:fdmotoff+10 (6001180e100, 2, 6001180e298, 0, 4, 2a1002d2f6a)
%l0-3: 000006001180e1c0 00000600119f3300 0000000000002000 0000000000002006
%l4-7: 0000000000000000 0000000000000000 0000000000003000 000003000004abe0
000002a1002d2ec0 fd:fd_cleanup+60 (30000deb498, 6001180e100, 0, 0, 0, 0)
%l0-3: 0000000001931c00 000002a1002d2f6a 00000300000c11e0 000006001078ef68
%l4-7: 0000060011a0bc80 0000000000000000 0000000000003000 0000030000048460
000002a1002d2f70 fd:fd_attach+4fc (30000deb498, 0, 0, 0, 8, 300000bb000)
%l0-3: 0000000001931c00 00000000018bc4a8 000006001180e100 000000000185a728
%l4-7: 0000000000000000 00000000012e7b20 00000000018bc400 0000000000000320
000002a1002d3060 genunix:devi_attach+70 (ffffffffffffffff, 7b6582e0, 1a, 0, 0, 3000004b388)
%l0-3: 0000030000deb498 0000000000000000 000002a1002d3110 00000300000c7f08
%l4-7: 0000000000000000 0000000000000000 0000000000003000 000003000004b360
[and more]

Inspecting the code, fdmotoff is called from fd_cleanup.

The are multiple calls to fd_cleanup, but some of them (the first 5 with locks=0) occur before fdc->c_un has been initialized at line 727 in fd.c, and fdmotoff unconditionally refers to fdc->c_un->un_unit_no. So we shouldn't call fdmotoff at all from fd_cleanup if things haven't been initialized yet.